110 



120 



PREPROCESSING 
MODULE 



115 



APPLICATION PACKAGE 



SERVER 




FIG. 1 



110 



y 210 

APPLICATION BINARY 

y 220 
LIBRARIES 

y 230 

CONFIGURATION FILES 

y 240 

DATA FILES 



NEW 









> 




> 


> 










> 




PREPROCESSOR 






MODULE 




► 




► 


> 




► 



, 215 

-> MODIFIED BINARIES 



225 

-> MODIFIED LIBRARIES 

, 235 

MODIFIED CONFIGURATION 
FILES 

245 



■> MODIFIED DATA FILES 



TAI 



250 



EXECUTION ENVIRONMENT 

INFORMATION 
DIRECTORY STRUCTURES 
SECURITY INFORMATION 



260 



SYSTEM INFORMATION 



FIG. 2 



NORMAL EXECUTION 




320 



SYSTEM 
INTERFACE 



340 



350 



SYSTEM 
DLL's 



330 



360 



RESOURCE 






ALLOCATION 


REGISTRY 


FILE 


AND 


SYSTEM 


DEALLOCATION 







370 



380 



390 



OTHER 
ENVIRONMENT 



NETWORK 



GRAPHICS 
INTERFACES 



OPERATING SYSTEM 



FIG. 3 



425 



SECURE EXECUTION 



410 





^ 405 




PREPROCESSED 




APPLICATION 


APPLICATION 


< 


MANAGER 



415 



INTERCEPTED 
SYSTEM CALLS 



430 



420 



435 



RESOURCE 






ALLOCATION 


VIRTUALIZED 


VIRTUALIZED 


AND 


REGISTRY 


FILE SYSTEM 


DEALLOCATION 









VIRTUALIZED SYSTEM INTERFACE 
(RESOURCES, FILES, DATA, NAMES 



440 



445 



VIRTUALIZED 

OTHER 
ENVIRONMENT 



VIRTUALIZED 
NETWORK 



320 

SYSTEM 
INTERFACE 



450 



VIRTUALIZED 

GRAPHICS 
INTERFACES 



340 



SYSTEM 
DLL's 



350 



330 



360 



; RESOURCE 






■* ALLOCATION 


REGISTRY 


FILE 


=* AND 


SYSTEM 


Deallocation 







370 



380 



OTHER 
ENVIRONMENT 



NETWORK 



390 



GRAPHICS 
INTERFACES 



FIG. 4 



BEGIN 



510 



COMPILE SOURCE 
CODE INTO OBJECT CODE 



520 







PREPROCESS APPLICATION PACKAGE FOR 
EXECUTION IN THE SECURE CLIENT 
ENVIRONMENT 








/ 530 
' / 


Q 


APPLICATION MANAGER ON CLIENT RETRIEVES 
MODIFIED OBJECT CODE FROM SERVER 


i y 




/ 540 


I 0- 




INITIALIZE APPLICATION PACKAGE 
AND PATCH LIBRARIES 








/ 550 
' / 


5 © 




VIRTUALIZE INTERCEPTED CALLS 
DURING EXECUTION 










/ 560 




TRANSMIT RESULTS TO SERVER 





RETURN 



FIG. 5 



610 




MODIFY AND ADD ADDITIONAL 

EXECUTION 
ENVIRONMENT INFORMATION 
OF PACKAGE 



630 



ENCRYPT FILES 
OF APPLICATION PACKAGE 



640 



ENCRYPT FILENAMES 



650 



ENCRYPT FILENAMES IN IMPORT 
TABLE 



660 



ENCRYPT AND SIGN APPLICATION 
PACKAGE 



RETURN 



FIG. 6 



610 



BEGIN 



710 



SCAN FOR IMPROPER 
INSTRUCTIONS OR SEQUENCES 




REWRITE APPLICATION 

BINARY TO 
INTERCEPT IMPROPER 
SEQUENCES 



740 



REWRITE IMPORT TABLE OF 
BINARIES TO ADD INTERCEPTION 
MODULE 



760 



STORE MODIFIED 
APPLICATION BINARY 



RETURN 



FIG. 7 



BEGIN 



810 



ADD INTERCEPTION 
MODULE TO APPLICATION 
PACKAGE 



820 



ADD SECURITY 
INFORMATION TO 
APPLICATION PACKAGE 



830 



PROVIDE VIRTUAL 
ENVIRONMENTAL SETTINGS 
FOR SYSTEM DATABASE 



840 



PROVIDE VIRTUAL SYSTEM 

MODULES TO ALLOW 
APPLICATION PACKAGE TO 
EXECUTE ON NON-NATIVE 
PLATFORMS 



850 



REMOVE SELECTED FILES 
FROM APPLICATION 
PACKAGE 



860 



OBFUSCATE DIRECTORY 
STRUCTURE 



END 



FIG. 8 



BEGIN 



> 


/ 910 


APPLICATION MANAGER REQUESTS 
OPERATING SYSTEM TO EXECUTE 
APPLICATION PACKAGE 


> 


/ 920 



OPERATING SYSTEM LOADS ALL LIBRARIES 
IDENTIFIED BY IMPORT TABLES INTO MEMORY 



930 



OPERATING SYSTEM EXECUTES 
INITIALIZATION ROUTINE OF DEFAULT 
SYSTEM LIBRARIES 




, 940 

f / 


OPERATING SYSTEM EXAMINES IMPORT 
TABLE AND EXECUTES INITIALIZATION 
ROUTINE OF THE INTERCEPT MODULE FIRST 


> 


/ 950 

f / 



PATCH LOADED LIBRARIES 



960 



MAKE ALL CODE PAGES EXECUTE ONLY AND 
REMOVE ALL EXECUTION PRIVILEGES FROM 
REMAINING PAGES 



970 



INITIALIZE VIRTUAL SYSTEM DATABASE 



980 



START VIRTUAL MACHINE COMMUNICATION 
THREAD 



990 



OPERATING SYSTEM EXECUTES 
INITIALIZATION ROUTINES OF OTHER 
LIBRARIES IN THE IMPORT TABLE 




FIG. 9 



950 



BEGIN 



1010 



CREATE AN AVAILABLE LIST OF 
ROUTINES BASED UPON ALL 

SYSTEM ROUTINES LISTED BY 
THE EXPORT TABLE OF THE 
LIBRARY BEING PROCESSED 



1020 



CREATE A SHUTDOWN LIST BY 
DELETING FROM AVAILABLE LIST 
ALL SYSTEM ROUTINES 
MAINTAINED BY INTERCEPT 
MODULE 



1030 



INTERCEPT ROUTINES IN 
SHUTDOWN LIST SO THAT THEY 
INVOKE AN ERROR HANDLING 
ROUTINE 




1040 



INTERCEPT ALL ROUTINES 
IDENTIFIED BY VIRTUAL LIST 



1050 



ROUTINES IN MEDIATED LIST ARE 
NOT MODIFIED 



RETURN 



FIG. 10 



BEGIN 



1110 



RETRIEVE START ADDRESS OF 
ROUTINE TO BE INTERCEPTED 



1120 



RETRIEVE START ADDRESS OF 
THE WRAPPER ROUTINE 



1130 



CREATE A DYNAMIC VERSION OF 
THE INTERCEPTED ROUTINE 



1140 



SET PAGE ATTRIBUTES OF 
DYNAMICALLY CREATED CODE TO 
EXECUTE ONLY 



1150 



REPLACE ORIGINAL ROUTINE 
WITH NO-OPS ENDING WITH 
ERROR CODE 



1160 



CHANGE ENTRY POINT OF 
INTERCEPTED ROUTINE TO 
DIRECTLY POINT TO WRAPPER 
ROUTINE 



1170 



MODIFY VARIABLE USED BY 
WRAPPER ROUTINE TO POINT TO 
DYNAMICALLY CREATED ROUTINE 



RETURN 



FIG. 11 




1210 



1240 



SHOULD 
APPLICATION 
CREATE NEW 
DATABASE? 



1220 



Yes- 




CREATE VIRTUAL 
DATABASE 



1250 



COPY PREDEFINED 
LIST NON-CHANGED 
KEYS FROM SYSTEM 

DATABASE TO 
VIRTUAL DATABASE 



1260 



READ PREDEFINED 
LIST OF MASKED 
KEYS FROM REAL 

SYSTEM DATABASE 



Yes 



1270 



COMPLETELY OR PARTIALLY 
CHANGE DATA USING PREDEFINED 
DATA FOR DATABASE TABLE 
MAINTAINED BY INTERCEPT 
MODULES 



1280 



WRITE THE NEW 
CHANGED DATA TO 
VIRTUAL DATABASE 



RETURN 



FIG. 12 



1310 





1305 




1335 



RESOURCE 
REQUEST 



GRAPHICS 



PROCESS 
CREATE AND 
TERMINATE 




1365 



MODIFY PAGE 
PERMISSIONS 




N 



1330 



1340 



1355 



DATABASE 




Q 



1345 



SHUTDOWN 



MACHINE 
SPECIFIC 
INFORMATION 



END 



1350 



RAISE AN ERROR 

IDENTIFYING 
WHICH ROUTINE 
IS CALLED 



END 



FIG. 13 



BEGIN 



1405 



IDENTIFY TYPE OF 
FILE SYSTEM 
REQUEST 



1410 



OPEN 



1415 



READ OR 
WRITE 



1420 



MAP FILE TO 
MEMORY 




-Yes- 




1480 




DO NOT 
MODIFY CALL 



-Yes- 




1482 



ENCRYPT 
FILENAME 



1450 



CREATE VIRTUAL AND 
ENCRYPTED FILENAME TO 
REDIRECT IT TO SANDBOX 



1425 



1430 



ROUTINES 
THAT RETURN 
A FILENAME 



UNMAP FILE 
FROM 
MEMORY 





Yes 



1455 



DOES 
DIRECTORY 
IN FILENAME EXIST 
JN VIRTUAL ROOT. 
TREE? 



1460 



CREATE 
DIRECTORIES IN 
VIRTUAL TREE 




1486 



Yes- 



REMOVE 
WRITE 
PRIVILEGES 
FROM OPEN 
COMMAND 



No 



1490 



CALL ORIGINAL 
OPEN AND RETURN 
HANDLE 



RETURN 



FIG. 14 



BEGIN 




IDENTIFY BLOCK IF EXCEPTION IS NOT 

CORRESPONDING TO HANDLED BY THE 

ADDRESS CAUSING APPLICATION, THEN NOTIFY 

EXCEPTION A VIRTUAL MACHINE THREAD 



DECRYPT BLOCK FROM 
REAL BUFFER COPYING IT 
TO THE VIRTUAL BUFFER 



1540 



MODIFY VIRTUAL MEMORY 
BLOCK PROTECTION FLAG 
TO BE ACCESSIBLE 



RETURN 



FIG. 15 



BEGIN 



ENCRYPT FILENAME 



1610 




V 



LOAD LIBRARY "NAME" INTO 
MEMORY IF NOT ALREADY 
LOADED 



1620 




1630 



-Yes- 



CHECK FOR IMPROPER 
INSTRUCTION 
SEQUENCES 



RECURSIVELY LOAD ALL 
LIBRARIES THAT SELECTED 
LIBRARY DEPENDS UPON IN 
ITS IMPORT TABLE LIST INTO 
MEMORY IF NOT ALREADY 
LOADED 



1650 




K 



PATCH LOADED 
LIBRARIES 



1660 




G 



MAKE CODE PAGES 
EXECUTE ONLY AND 

REMOVE ALL EXECUTION 
PRIVILEGES FROM 

REMAINING NEW PAGES 



1665 



EXECUTE DLL INITIALIZATION 
OF ALL LOADED LIBRARIES 



1670 



END 



FIG. 16 



BEGIN 





/ 1710 


CHECK FILE FOR IMPROPER 
INSTRUCTION SEQUENCES 




/ 1720 


INTERCEPT IMPROPER 
SEQUENCES THAT WERE FOUND 


> 


r 



1740 




Yes- 



VIRTUAL MEMORY SPACE 
ALLOCATED CONTAINING THOSE 

IMPROPER SEQUENCES NOT 
INTERCEPTED WILL BE SET SUCH 
THAT IT CANNOT BE EXECUTED 



FIG. 17 




FIG. 18 



ACCEPT 




INITIALIZE SOCKET STRUCTURE 
(LOCAL) WITH INPUT PARAMETERS 
TO ACCEPT 



REMOVE ENTRY FROM CONNECT 
QUEUE AND INITIALIZE OPTIONS 
AND REMOTE SOCKET STRUCTURE 
FROM ENTRY 



ENQUEUE MESSAGE FOR PROXY 
SENDING BACK LOCAL SOCKET 
STRUCTURE TO REMOTE PROXY 



RETURN 



FIG. 19 



SEND 




FIG. 20 





2150 



2160 



NOTIFY 
PROXY 



RETURN 



FIG. 21 




RECEIVE 



BEGIN 



RETURN 
ERROR 




2240 



RETURN 
STATUS 



Yes , 2235 



2245 



COPY INTO BUFFER UP TO 
AMOUNT SPECIFIED TO 
RECEIVE 



BLOCK 



2250 



REMOVE CONSUMABLE 
ENTRIES FROM RECEIVE 
QUEUE 



2255 



RETURN NUMBER OF BYTES 
COPIED 



END 



FIG. 22 



RECEIVE 
FROM 

BEGIN 




2350 



REMOVE CONSUMABLE 
ENTRIES FROM RECEIVE 
QUEUE 



2355 



LOOKUP THE REMOTE 
ADDRESS AND UPDATE THE 
ARGUMENTS 



2360 



RETURN NUMBER OF BYTES 
COPIED 




FIG. 23 



CLOSE 
BEGIN 




SET STATUS AS "TERMINATE" FOR 
TABLE ENTRY 




2440 



RETURN 



FIG. 24 



SHUTDOWN 



2540 



RETURN 
LOW 
LEVEL 
ERROR 




2520 



-No-> 



RETURN LOW 
LEVEL ERROR 



Yes 



2550 



CHANGE STATUS TO BE 
SHUTDOWN 



2560 



NOTIFY PROXY 



RETURN 



FIG. 25 



SELECT 



BEGIN 



2610 



WAIT FOR SPECIFIED DELAY TIME 
TO EXPIRE 



2620 



GIVEN LIST(S) OF SOCKETS, FIND 
ALL SOCKET MEETING A GIVEN 
CONDITION 



2630 



MODIFY SOCKET LIST BASED ON 
QUERY 



2640 



RETURN NUMBER OF SOCKETS 
THAT MEET CONDITION 



END 



FIG. 26 



SOCKET 



BEGIN 



2710 



CREATE NEW ENTRY IN 
SOCKET TABLE AND 
INITIALIZE ENTRY 



2720 



RETURN UNIQUE 
SOCKET ID 




FIG. 27 



BIND 




FIG. 28 




FIG. 29 



LISTEN 
BEGIN 



v 




Yes 

/ 3030 



UPDATE STATUS FLAG TO LISTEN 
AND INITIALIZE CONNECTION 
QUEUE 



RETURN 



FIG. 30 



QUERY 




FIG. 31 



UPDATE 




FIG. 32 




BEGIN 



3310 



REFUSE TO MAKE PAGE 

WITH EXECUTION 
PRIVILEGES READABLE 



3320 



REFUSE TO MAKE PAGE 

WITH EXECUTION 
PRIVILEGES WRITEABLE 




Yes , 3340 
± / 



CHECK PAGE FOR 
IMPROPER 
INSTRUCTION 
SEQUENCES 



3350 



INTERCEPT IMPROPER 
SEQUENCES FOUND 



Z± 

REFUSE TO MAKE PAGES 
CONTAINING THESE 
REMAINING NOT 
INTERCEPTED IMPROPER 
SEQUENCES EXECUTABLE 



MAKE PAGES WITH NO IMPROPER 
SEQUENCES OR ONES WITH ALL 

IMPROPER SEQUENCES 
INTERCEPTED AS EXECUTABLE 





FIG. 33 



o 



BEGIN 



3405 



ROUTINES THAT 
DIRECTLY: 

• SHOW WINDOW OR 
MAKE IT VISIBLE 

• ACTIVATE 

• DRAW 

• DISPLAY 

• change focus 

• paint, etc. 

disable aspects of 
routine that affect 
Visible aspect of 
Graphical user 
Interface 



3415 



CREATE 
WINDOW OR 
NORMAL DIALOG 
BOX CREATION 



3420 



SET STYLE OF 
WINDOW TO 
"HIDE" OR 
"INVISIBLE" 



3425 



CALL THE 
ORIGINAL 
CREATE 
ROUTINE 



3410 



SEND MESSAGES 
AND SET WINDOW 
PROPERTIES TO 
WINDOWS NOT IN 
APPLICATION 
PACKAGE ARE 
DISABLED 



3430 



CREATE A 
MODAL 
DIALOG BOX 



3435 



DO NOT CREATE 
MODAL DIALOG BOX. 
INSTEAD RETURN A 
RESULT MOST 
LIKELY TO 
CONTINUE 
EXECUTION 




3445 



3460 



COMMUNICATE 
DIALOG MESSAGE 

TO VM 
COMMUNICATION 
THREAD 



BEFORE CALLING 
THE REAL 
OPERATING 
SYSTEM ROUTINE, 
REMOVE THE 
WINDOW STYLES 
THAT: 

• SHOW IT 

• MAKE IT VISIBLE 

• ACTIVATE IT 

• MAKE IT THE 
FOCUS 

• ETC. 



RETURN 



FIG. 34 



Q 




3560 



FIG. 35 



OPEN KEY 



BEGIN 



/ 3605 



LOOK IN VIRTUAL 
DATABASE FOR KEY 



3610 



IS KEY IN 
VIRTUAL 
DATABASE? 



3635 



OPEN KEY IN REAL 
DATABASE 



-Yes 



3640 



LOOK UP KEY IN 
PREDEFINED RUN-TIME 
CHANGE LIST 




3615 



3620 



3645 



INSERT FAKE KEY, VALUE, 
AND DATA IN VIRTUAL 
DATABASE 



CHANGE ALL VALUES IN 
PREDEFINED LIST 



3650 



WRITE KEY WITH ALL NEW 
AND UNCHANGED VALUES 
AND DATA TO VIRTUAL 
DATABASE 



3625 



ALLOCATE A HANDLE IN 
VIRTUAL DATABASE 



3630 



RETURN HANDLE 



RETURN 



FIG. 36 




FIG. 37 



BEGIN 



3810 



QUERY SYSTEM USING FILE 
HANDLE TO GET FILENAME 




RETURN 



FIG. 38 



BEGIN 



3910 



IDENTIFY ENCRYPTED 
BLOCKS CONTAINING 
REQUESTED DATA 



3920 



READ ENCRYPTED 
BLOCKS FROM FILE 

SYSTEM INTO A 
TEMPORARY BUFFER 



3930 



DECRYPT CONTENTS OF 
TEMPORARY BUFFER 



3940 



COPY DECRYPTED 
ADDRESS RANGE INTO 
ORIGINAL BUFFER 



RETURN 



FIG. 39 



AA 



BEGIN 



4010 



IDENTIFY ADDRESS RANGE 
TO BE WRITTEN TO 



4020 



READ ENCRYPTED BLOCKS CONTAINING 

CORRESPONDING ADDRESS RANGE 
FROM FILE SYSTEM INTO A TEMPORARY 
BUFFER 



4030 



DECRYPT CONTENTS OF 
TEMPORARY BUFFER 



4040 



COPY STORED BUFFER 
INTO TEMPORARY BUFFER 



4050 



ENCRYPT TEMPORARY 
BUFFER 



4060 



WRITE BUFFER TO DISK 



RETURN 



FIG. 40 



BEGIN 



4110 



LOAD AND MAP FILE INTO 
MEMORY 




RESERVE A REGION WITHOUT 
ALLOCATING PHYSICAL 
RESOURCES 



STORE IN MEMORY MAPPED 
TABLE A POINTER TO VIRTUAL 
BUFFER, POINTER TO REAL 
BUFFER, SIZE AND HANDLE 



4170 



RETURN POINTER TO VIRTUAL 
ADDRESS BUFFER 



RETURN 



4180 



RETURN POINTER TO 
REAL BUFFER 



FIG. 41 



ALTERNATE TO FIG.41) 



BEGIN 



4210 



LOAD AND MAP FILE 
INTO MEMORY 




4220 



No 



Yes 

A. 



4230 



CREATE A VIRTUAL BUFFER 
CONTAINING DECRYPTED 
DATA FROM REAL BUFFER 



4250 



RETURN POINTER TO 
REAL BUFFER 



4240 



RETURN POINTER TO 
VIRTUAL BUFFER 



RETURN 



FIG. 42 




Real 



Virtual 



4320 



IDENTIFY WHICH PORTIONS 
OF BUFFER HAVE BEEN 
MODIFIED 



4330 



ENCRYPT IDENTIFIED 
PORTIONS OF MEMORY INTO 
REAL BUFFER 



4340 



CALL OPERATING SYSTEM 
WITH REAL BUFFER 



RETURN 



FIG. 43 



BEGIN 



4410 



EXECUTE REQUESTED 
ROUTINE 



4420 



DECRYPT EACH OF THE 
RETURNED FILENAMES 



RETURN 



FIG. 44 



BEGIN 



Yes 




IDENTIFY ENCRYPTED 
PORTIONS OF PATHNAME 
USING PREFIX AND 
POSTFIX SYMBOLS 



4520 



DECRYPT THE ENCRYPTED 
PART OF THE PATHNAME 



4530 



ENCRYPT THE FULL 
PATHNAME 



RETURN 



FIG. 45 



TRADITIONAL 
SYTEM LAYOUT 




FIG. 46 



VIRTUALIZED 
SYTEM LAYOUT 



EXE FILE 

APPDIR DATA FILE 

C1 ^TMP^^ LIBRARY 

D2 

SYSTEM FILE 




FIG. 47 



o 

i= yj 

o ^ 

UJ LU 

13 

o 
o 



uj 2 

O 3 
LU Fx 

a: u 



LU 

ml 



a) 



a 



UJ 

o 
o 

CO 



CO 

o 

H 
CL 
O 



I— CO 

LU 3 

^ i— 

O H 

CO CO 



LU 

h LU 2 
° * O 
S £ 3 

UJ O d 

01 CO £ 
CO 



LU 



LU (jj 

O h- 

CO o 

_l 3 

< 01 

O f- 

O & 



Q 
LU 
I- 

o 

LU 



? O 2 



Q 
UJ 
I- 

o 

LU 
2 



uj a uj g g 

uj m co o 52 
a: co □ o a 



CD 
z 

H 
O 

a uu 
z 2: 

o o 



CO CQ O 



CO 
3 

CO 

h- 
LU 

o 
o 

CO 



00 




LU 

a: 

1- 
o 
3 

01 
H 
CO 

H 
LU 

O 

o 

CO 



o 
o 

CO 




FIG. 49 



5000 



PAUSE 



RESUME 



5005 



CHECKPOINT 



5040 



MAKE LIST OF 
ALL THREADS IN 
PROCESS 



5005 



CALL RESUME THREAD 
ON ALL THREADS IN 
SUSPEND LIST 



REMOVE FROM LIST 
VM THREADS 



5010 



5030 



REMOVE THREAD 
FROM SUSPEND LIST 
ONCE IT IS RESUMED 




Yes 



5035 



CALL CHECKPOINT 
ROUTINE IN 
APPLICATION 



5045 



SUSPEND ALL 
THREADS REMAINING 
IN THIS "SUSPEND" 
LIST 



5015 



STORE THE LIST OF 
SUSPENDED THREADS 



5020 



RETURN SUCCESS OR FAILURE 
EVENT TO APPLICATION MANAGER 



5025 




FIG. 50 



AE 



BEGIN 




5100 



RESULT FILE 
COMPLETION 



SEND PROGRESS 
STATISTICS TO 
APPLICATION MANAGER 



5110 



5105 



SEND FINISHED RESULT 
FILENAME AND LOCATION 
TO APPLICATION MANAGER 



END 



FIG. 51 



